On March 6, 2017, Apache Struts 2 was revealed to have a remote command execution vulnerability. The vulnerability number is S2-045, and the CVE number is CVE-2017-5638. Remote command execution may exist when files are uploaded by Jakarta plugin, allowing a hacker to intrude into the system.
See the following for more information about the vulnerability.
Struts remote code execution vulnerability based on Jakarta plugin
If the exception handling function of the upload feature fails to correctly handle the error information entered by users, a remote attacker can modify the Content-Type value in the HTTP request header to construct and send malicious packets and run arbitrary system commands on the affected server.
Condition and method of exploitation
The vulnerability allows a hacker to run code by using Jakarta plugin.
- Struts 2.3.5 - 2.3.31
- Struts 2.5 - 2.5.10
How to fix or mitigate
By default, Struts 2 uses Jakarta’s Common-FileUpload file upload parser, which has a vulnerability. The default configuration is
struts.multipart.parser=jakarta. To avoid the vulnerability, use other types of parsers such as the COS file upload parser (
struts.multipart.parser=cos) or the Pell file upload parser.
Note: Back up snapshots before the upgrade.
Use Alibaba Cloud Security WAF for defense.